2008

DatastoreReplication
withXenApp5.0
usingSQL2005SP2with
WindowsAuthentication

ThisdocumentwalkstheuserthroughconfigurationofXenApp5.0andSQL2005
SP2IMADatastoreReplicationfromstarttofinish.

James Richards - Platinum Test Team

Contributions by Jeff Reed, Rene Alfonso & Tim Card
Citrix Systems Inc.
8/1/2008

PlatinumTested
TableofContents
SQLInstallGuidelines:
InstallationguidelinesforSQL2005 .......................................................................................................................................................... 3
SingleWindowsserviceaccount................................................................................................................................................................ 4
SQLConfiguredforWindowsAuthmodeonly .......................................................................................................................................... 4
KerberosDelegation:
ConfigurationofKerberosDelegationforSQLsystems............................................................................................................................. 5
UsingtheSETSPNcommand...................................................................................................................................................................... 5
KerberosDelegation .................................................................................................................................................................................. 6
SpecifytheuseraccountforKerberosDelegation .................................................................................................................................... 7
AddandcheckthenametobeusedforKerberosDelegation .................................................................................................................. 7
VerifythattheMSSQLSvcinfoisreportedproperly .................................................................................................................................. 7
Settheuserdelegationsettingsproperly.................................................................................................................................................. 8
ConfigureMSDTConbothSQLDBsystems ............................................................................................................................................... 9
ConfigureReplication:
AccountsusedandcreatethereplicaDBandspecifydborights............................................................................................................ 10
ChecktheSecurity/Loginsissetproperly ...........................................................................................................................................1011
BegintoconfigureDistribution................................................................................................................................................................ 12
DistributorandCompletetheconfigurationoftheDistributionwizard ................................................................................................ 13
PublisherProperties................................................................................................................................................................................. 14
SpecifythePublicationDatabasetobeused........................................................................................................................................... 15
BegintheNewPublicationwizard ........................................................................................................................................................... 16
PublicationDatabaseandPublicationType............................................................................................................................................. 17
Articles ..................................................................................................................................................................................................... 18
SnapshotAgentandAgentSecurity......................................................................................................................................................... 19
SnapshotAgentSecuritydetails .............................................................................................................................................................. 20
AgentSecurityQueueReaderAgent .................................................................................................................................................... 20
QueueReaderAgentSecurity.................................................................................................................................................................. 21
PublicationName..................................................................................................................................................................................... 21
PublisherPropertiesandPublicationAccessList..................................................................................................................................... 22
ConfigureaNewLinkedServer................................................................................................................................................................ 23
LinkedServer,SecurityandOptionstobeused ..................................................................................................................................... 24
BegintheNewSubscriptionwizard ......................................................................................................................................................... 25
Publication ............................................................................................................................................................................................... 26
DistributionAgentLocation ..................................................................................................................................................................... 26
Subscribers............................................................................................................................................................................................... 27
WindowsAuthforcredentialstoSubscriber ........................................................................................................................................... 27
SubscribersSubscriptionDatabase.......................................................................................................................................................... 28
DistributionAgentSecurity...................................................................................................................................................................... 28
SpecifytheWindowsaccounttobeused................................................................................................................................................ 29
VerifytheDistributionAgentSecurity ..................................................................................................................................................... 30
SynchronizationSchedule........................................................................................................................................................................ 30
UpdatableSubscriptions.......................................................................................................................................................................... 31
LoginforUpdatableSubscriptions........................................................................................................................................................... 31
InitializeSubscriptions ............................................................................................................................................................................. 32
CompletetheWizard ............................................................................................................................................................................... 32
CreatingSubscriptionsSuccess ................................................................................................................................................................ 33
Confirmingthereplicatedtablesarelisted.............................................................................................................................................. 33
ViewSynchronizationStatus.................................................................................................................................................................... 34
MonitortheSynchronizationStatus ........................................................................................................................................................ 34
ReplicationMonitor ................................................................................................................................................................................. 35
VerificationScenario...........................................................................................................................................................................3539
MISCInfo.................................................................................................................................................................................................. 40
BlankpageforNotes................................................................................................................................................................................ 41
2|P a g e

PlatinumTested
This guide was originally based on http://support.citrix.com/article/CTX101739 which used SQL 2000 and Mixed Mode
Authentication using the default SA account. This guide is by no means the only method in which you can configure replication.
The intention is to provide a more secure replication environment using Windows Authentication Only mode. However it should be
noted that you can always use Mixed Mode Authentication and the SA account and the default wizards to set up replication.
For information about Datastore replication with SQL 2008, refer to http://support.citrix.com/article/CTX118849
Without having to install SQL servers, these procedures should take one to two hours for the initial setup.
Within this document there are three separate accounts used:
1-svc_IMA Domain User account is used during the installation of XenApp also has (dbo) owner rights and the Default database is
set to use the IMA DB.
2-svc_SQL Domain User account is used for the SQL Replication procedures.
3-adm_SQL - Domain user account with local Administrator privileges on the SQL systems using the SQL Management Studio.
The screen shot below shows the Domain User accounts created in a ServiceAct OU that was used throughout this document:

Installation guidelines for SQL 2005:

There are a number of components that may be installed during the SQL Server 2005 setup. The SQL Server Database Services
component is required for hosting the Citrix XenApp databases. All other components are optional with regard to Citrix XenApp. The
SQL components selection screen is seen below:

The SQL 2005 Books Online makes the following security recommendations:
Run separate SQL Server services under separate Windows accounts.
Run SQL Server services with the lowest possible privileges.
Associate SQL Server services with Windows accounts.
Require Windows Authentication for connections to SQL Server
(See http://msdn.microsoft.com/en-us/library/ms144228.aspx for more information).
3|P a g e

PlatinumTested
For the purposes of this document, a single Windows service account was used for all SQL services svc_SQL. However,
Microsoft recommends that each service account have separate user accounts as a security best practice.

The SQL 2005 authentication mode was configured for Windows Authentication Mode, per Microsoft security best practice. It is
possible to set up replication using Mixed Mode, however this is not covered in this document.

For the purposes of this document, the defaults were then chosen for the remainder of the install.
After installation, Microsoft SQL Server 2005 Service Pack 2 (SP2) must be installed on both SQL Servers.
The specific version used throughout this guide for testing was:
Microsoft SQL Server 2005 - 9.00.3068.00 Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
You can use the following SQL Queries to see what version you are running: select @@version OR

EXEC xp_msver

4|P a g e

PlatinumTested
Configuration of Kerberos and Delegation for the SQL systems:
SETSPN Kerberos Authentication information:
http://support.microsoft.com/kb/319723/
http://poseidom.wordpress.com/2007/12/16/set-spn-for-sql-2005-sccm-remote-sql-fix/

http://msdn.microsoft.com/en-us/library/ms189585.aspx
The following commands can either be run on the Domain Controller that the SQL 2005 systems have joined or on each SQL system
logged on as the Domain Admin as you need to be the Domain Admin to register SPNs. On Windows Server 2003 systems you will
need to obtain the utility from Microsoft, on Windows Server 2008 systems this is already included in the OS.
http://support.microsoft.com/kb/892777
SETSPN -A MSSQLSvc/MySQLServer.MyDomain.com:1433 MyDomain\svc_SQL

Examples:
C:\>SETSPNAMSSQLSvc/C3SQL1.c3.sys3lab.com:1433svc_Sql
RegisteringServicePrincipalNamesforCN=svc_SQL,OU=ServiceAccounts,OU=System3,
DC=c3,DC=sys3lab,DC=com
MSSQLSvc/C3SQL1.c3.sys3lab.com:1433
Updatedobject

C:\>SETSPNAMSSQLSvc/C3SQL2.c3.sys3lab.com:1433svc_Sql
RegisteringServicePrincipalNamesforCN=svc_SQL,OU=ServiceAccounts,OU=System3,
DC=c3,DC=sys3lab,DC=com
MSSQLSvc/C3SQL2.c3.sys3lab.com:1433
Updatedobject

C:\>SETSPNLC3SQL1
RegisteredServicePrincipalNamesforCN=C3SQL1,OU=SQL,OU=Servers,OU=AltirisMana
ged,DC=c3,DC=sys3lab,DC=com:
HOST/C3SQL1
HOST/c3sql1.c3.sys3lab.com

C:\>SETSPNLC3SQL2
RegisteredServicePrincipalNamesforCN=C3SQL2,OU=SQL,OU=Servers,OU=AltirisMana
ged,DC=c3,DC=sys3lab,DC=com:
HOST/C3SQL2
HOST/c3sql2.c3.sys3lab.com

C:\>SETSPNQMSSQLSvc/C3SQL1.c3.sys3lab.com:1433
CN=svc_SQL,OU=ServiceAccounts,OU=System3,DC=c3,DC=sys3lab,DC=com
MSSQLSvc/C3SQL2.c3.sys3lab.com:1433
MSSQLSvc/c3sql1.c3.sys3lab.com:1433

5|P a g e

PlatinumTested
Logged on as a Domain Admin, within your Active Directory Users and Computers setup you will need to set up the Delegation to use
Kerberos and reference the svc_SQL user account and then point to each SQL DB system to be used.
1. For each SQL DB system you will need to select the Properties and then Delegation as seen below, then select the Add button:

2. Select the Users and Computers button:

6|P a g e

PlatinumTested
3. Add the svc_SQL user account to be used for all Windows Authentication.

4. You should then see both SQL DB systems, provided that you have set the SETSPN information correctly. Make sure to Select
All in the UI or use the button and then click OK to continue.

The end result for both C3SQL1 and C3SQL2 should show the following, click OK to continue.

Now you will need to set the delegation setting for the svc_SQL Domain user account to the following:
7|P a g e

PlatinumTested

At this point you no longer need Domain Admin access.

After the SETSPN and Kerberos settings have been set up and verified from each SQL DB System using the SQL Management Studio
run the following SQL Query and ensure it returns NTLM or Kerberos:
select auth_scheme from sys.dm_exec_connections where session_id=@@spid

Note: If you run this command directly on each SQL DB System, it returns NTLM, if you run this command from a remote
connection to a SQL DB System, it should return Kerberos.

8|P a g e

PlatinumTested
VerifytheMSDTCSecurityConfiguration

1. On each SQL server being used for replication, perform the following steps from Start/Run dcomcnfg
2. Expand the Component Services node, then the My Computer node, then right-Click and select Properties
3. Select the MSDTC Tab, and select the Security configuration button.
4. Select Network DTC Access, Allow Remote Administration, Allow Inbound, Allow Outbound, Mutual
Authentication Required
5. Reboot your systems if changes have been made, otherwise click OK to continue and close dcomcnfg.

9|P a g e

PlatinumTested
At this point you will install/create the first server in the farm using the Publisher/SQL DB system. Before configuring replication, the
database that acts as the IMA Datastore must exist on the SQL server acting as the Publisher and the IMA database on the Publisher
must contain the tables created by the IMA service.
Make sure to check the Security/Logins and verify that the svc_IMA account exists on the SQL DB systems and the properties are
set accordingly using the below examples:

10|P a g e

PlatinumTested

1. Create a new (EMPTY) database on the SQL server (Subscriber) that will be used for the replica. The name should reflect the same
name already used. In the below example it is IMA. Make sure that the database user is the same on the publisher database server
as on the replica server and is given database owner rights (dbo). In this case, it is the svc_IMA user account. Follow the
Security/Logons listed on page 9 for further details.

11|P a g e

PlatinumTested
2. In the SQL Server Management Studio on the server that is to be used for the master database, right-click the replication folder and
click the Configure Distribution option.

12|P a g e

PlatinumTested
3. Select the current server to be the distributor on the Select Distributor page, then click Next to continue.

4. Keep the default Snapshot folder and leave the default distribution database name and locations, then click Next to continue.
Keep the Publishers as the Default and click Next to continue. Leave the Wizard Actions as the default set for Configure Distribution
and click Next to continue.
5. Click Finish to complete the wizard.

13|P a g e

PlatinumTested

6. Right-click the Replication Folder, and select the Publisher properties.

14|P a g e

PlatinumTested
7. Select the Publication Databases and enable the Transactional check box adjacent to the database to be replicated, and click OK to
continue.

At this point the Administrator has the option to run the existing DSMAINT command that automatically creates the Publication.
However, this command is not covered or used at this point in time and manual steps are used.
EXAMPLE ONLY!
Execute the dsmaint publishsqlds command on the first server in the farm. This step executes the necessary SQL statements to create
the published articles on the current Microsoft SQL Server (Publisher).
C:\>dsmaint PUBLISHSQLDS /user:c3\svc_Ima /pwd:******** /joblogin:c3\svc_SQL /jobpwd:********

15|P a g e

PlatinumTested
8.SelecttheReplicationfolderthenRightclicktheLocalPublicationsfolder.SelectNewPublicationwhichstartstheNew
Publicationwizard.

16|P a g e

PlatinumTested

9. The next screen is the Choose Publication Database screen. Highlight the database to replicate and click Next.

10. Select the Transactional publication with updatable subscriptions option as the publication type and click Next.

17|P a g e

PlatinumTested
11.TheSpecifyArticlesscreenisoneofthemostimportantscreensoftheprocess.SelecttheTablescheckboxandclickNext,to
continue.

You may see the following Article Issues dialog. This issue is ok . Click Next and Next to continue.

18|P a g e

PlatinumTested
12. Select the option below, create a snapshot immediately, and click Next to continue.

13. Select the Security Settings button to identify the specific account to use for the SQL Server Agent.

Note: If you do not see the option for Use the security settings from the Snapshot Agent check box, chances are you ran the
DSMAINT PUBLISHSQLDS command as stated on page 14. Otherwise you must Disable Publishing and Distribution and begin
again.

19|P a g e

PlatinumTested
14. Specify the SQL Server Agent account to use.

Once specified, click OK to continue.

15. In the Agent Security screen you must specify the security settings for the Queue Reader Agent, then click the Security Settings
button.

20|P a g e

PlatinumTested
16. Once specified click OK, then Next and Next.

17. The Publication name can be anything, in previous replication documents or administrators guides it was called MFXPDS,
however, for this document it was changed to something more current - IMADS.

18. Click Finish on the final screen of the wizard.

21|P a g e

PlatinumTested
19. Verify the Publisher Properties and verify the PAL Publication Access List. Start by Right clicking on the publication and
selecting Properties.

20. Ensure that you have the svc_IMA account listed here. You may also see the SA account. This can be removed for security
concerns.

22|P a g e

PlatinumTested
21. Configuring a Linked Server:
Also refer to the MS SQL 2005 Online help for further info.
Set up and Configure the Linked Server and Authentication:
Create a Linked Server from C3SQL2(Subscriber) to C3SQL1(Publisher)

22. Specify the SQL Server to use:

23|P a g e

PlatinumTested
23. Within the Security options you will need to specify the option for Be made using the logins current security context

24. For the Server Options, make sure to change the options as seen below:

24|P a g e

PlatinumTested

25. Right-click the local publications in the Local Publications folder and select New Subscription. This starts the new subscription
wizard.

25|P a g e

PlatinumTested

26. Confirm the correct publisher and publication to use and click Next to continue.

27. Select the option for (Push Subscriptions), if not already selected and click Next to continue.

26|P a g e

PlatinumTested

28. Select the button to Add SQL Server Subscriber and a security dialog appears asking for the credentials of the Subscriber system.
Click Connect to continue.

27|P a g e

PlatinumTested
29.Ensurethatthecheckboxisselectedforthesubscriberfromthelistonthenextscreen,thenselectthecorrectemptydatabase
touseandclickNexttocontinue.

30. On the Distribution Agent Security page choose the ., button.

28|P a g e

PlatinumTested

31. Select the correct Windows account to use that runs the Distribution Agent process. In this case we are using the main SQL Server
service account used during installation. Leave all other fields set to default and click OK to continue.

29|P a g e

PlatinumTested
32. Confirm that the Windows account used is set correctly for the Distributor and the Subscriber, then click Next.

33. Set the Distribution Agent Schedule to Run Continuously, then click Next.

30|P a g e

PlatinumTested
34. Set the Commit at Publisher to Simultaneously commit changes, then click Next to continue.

35. Specify the linked server or remote server option to be used and click Next to continue.

31|P a g e

PlatinumTested
36. Verify that the Initialize Subscriptions is set for Immediately, then click Next and Next to continue.

37. Confirm that the Subscription wizard process has been set correctly and click Finish.

32|P a g e

PlatinumTested
Upon the completion of the wizard you should see the following Success. Click Close to continue. If you get any Error or Warnings
please review that the above procedures have been properly configured.

38. Make sure that the following tables are on the replicated database listed under the System Tables:
dbo.MSreplication_objects
dbo.MSreplication_subscriptions
dbo.MSsnapshotdeliveryprogress
dbo.MSsubscription_agents
If the tables are not all there, you must delete the replication setup and start again.

33|P a g e

PlatinumTested
You can now move on to verifying that Replication is working properly. Start by checking the Replication monitor. Following the
below steps:

39. Select the original subscription, right click and select the View Sync Status.

You should see the following Status bar which you can use to monitor when transactions are replicated.

34|P a g e

PlatinumTested
40. If you then click on the Monitor button, you can view success and errors of the replication process in greater detail.

Scenario for verifying Replication is setup properly:

1. Log on to the second XenApp system as a local Administrator and add the following to the local Admin Group: svc_IMA. Llog
off and then back on as this new local admin (the svc_IMA account) and then proceed to install just the SQL Management Studio.
You will then Connect to the C3SQL2 system using Windows Authentication as svc_IMA. If Windows Authentication fails, verify
that the svc_IMA account has been added to the Security Logins and the default DB has been set to the IMA DB.
Run the DSRepCheck against the IMA DB.
You can download the DS RepCheck Citrix utility to help verify that Replication is also set up correctly.
http://support.citrix.com/article/CTX111656
Run the stored procedure on the Subscriber against the IMA DB, then run the following SQL Query:
DSRepCheck C3SQL1,IMA

35|P a g e

PlatinumTested
If all the above is successful, you can proceed to install XenApp and join the farm, use the svc_IMA account during the install for
the ODBC connection and the Citrix credentials, and point to the Subscriber/replicated SQL DB C3SQL2.

36|P a g e

PlatinumTested

2. Make sure that when selecting which SQL DB to use and join, you select the Subscriber system. In the above steps this would be
the C3SQL2 DB system.

37|P a g e

PlatinumTested

38|P a g e

PlatinumTested

After the installation has completed you must reboot your system.

3. Launch the Access Management Console from the first server in the farm and add an Administrator to the farm for the svc_IMA
account.
4. Once this second system has been installed and rebooted, launch the Access Management Console on this newly installed server
and proceed to publish any application.
5. If replication is working correctly, launch the Access Management Console on the first server in the farm and you should then see
the newly added published application. You should also be able to modify the properties of the application as well.

39|P a g e

PlatinumTested
MISCELLANEOUS INFORMATION
Caution: Do not use merged replication. Using merged replication corrupts the data store.
SQL versions and there patch level:
http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx
SQL2K5 Encryption Info:
http://www.microsoft.com/technet/prodtechnol/sql/2005/sqlencryption.mspx

Existing SPN found for servers in a different farm that are going to be put in the current one. Run chfarm and select the server with
the replicated database. If there will be a fresh installation of XenApp, select the replicated database server when prompted.
For a server in the current farm that will be configured to use the new database, create a new dsn file on the server which points to the
replicated SQL server. Then use the dsmaint config command from a command prompt to re-point the IMA Service to the new data
store.
http://msdn2.microsoft.com/en-us/library/ms144228.aspx
Run separate SQL Server services under separate Windows accounts.
Run SQL Server services with the lowest possible privileges.
Associate SQL Server services with Windows accounts.
Require Windows Authentication for connections to SQL Server
sp_link_publication info:
http://technet.microsoft.com/en-us/library/ms174991.aspx
@security_mode = 2
Database corruption. If a subscriber database becomes corrupted, will it corrupt all the replica databases. Resolution, database backup
and restore db:
http://msdn.microsoft.com/en-us/library/ms151152.aspx?
Currently SQL doesnt support both mirroring and transactional replication with immediate updating.
http://msdn.microsoft.com/en-us/library/ms151799.aspx

Transactional replication with immediate updating will allow changes to occur on the subscriber or publisher. From an application
stand point these changes are transparent and SQL is responsible for synchronizing all changes.
The way SQL does this is by using to different mechanisms:
1. Changes on the publisher are recorded to the distribution database using the log reader agent then pushed out by the distribution
agent (there may be a slight delay depending on network and SQL performance).
2. Changes on the subscriber are intercepted by triggers that use the Distributed Transaction Coordinator to insure the changes are
written in both Database bases (2 Phase commit). Any additional subscribers will be updated by the distribution agent.
Replication supports mirroring the publication database for merge replication and for transactional replication with read-only
Subscribers or queued updating Subscribers. Immediate updating Subscribers, Oracle Publishers, Publishers in a peer-to-peer
topology, and republishing are not supported.
40|P a g e